- From: David Morris <dwm@xpasc.com>
- Date: Wed, 6 Jun 2012 10:37:47 -0700 (PDT)
- To: HTTP Working Group <ietf-http-wg@w3.org>
On Tue, 5 Jun 2012, Julian Reschke wrote: > On 2012-06-05 02:16, David Morris wrote: > > ... > > This took a few days to set up a careful test case. I don't have the time > > or resources to test every client, so I can't refute the claim that some > > clients send the authorization header for a part of the hosts content > > which it doesn't apply to, but I've tested: > > What's the definition of "doesn't apply to"? >From memory ... which has stuck with me because I wasn't real happy with the definition ... Thinking of URLs as representing the hierarachical name space we commonly associate with a file system ... Realm "RauthA" returned in a 401 response's www-authenticate header for a request for authab/a/ may be assumed to applu to directory authab/a/ and to all directories under authab/a/. So if the client has credentials for authab/a/ it may return those credentials in the Authorization header in a request for authab/a/aa/ anticipating that the same credential would apply, but not for authab/ or any peer of authab/a/ such as authab/b/ in my test. My current test setup doesn't support the subdirectory case, but I think I'll expand it when I get a chance. I also need to go back and review the RFCs to validate my memory. Dave Morris
Received on Wednesday, 6 June 2012 18:09:10 UTC